How to change from LDAP to LDAPS on the Portal appliance?
Question:
How can secure LDAP access be enabled on the Portal?
When enabling Active directory over SSL and changing the corresponding port to 636 an error is received that the connection has failed (failed to connect to).
Answer:
In some cases you have to verify connectivity and valid certificates are introduced into the Appliance with the steps below.
Steps:
NOTE: Replace any "nxtsvr001dc.nxtsuplab.loc" or "nxtsvr001dc" with the corresponding AD server for this procedure.
Verify connectivity to the DC on the LDAPS port from the portal CLI:
nc -vz -w 1 nxtsvr001dc.nxtsuplab.loc 636
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.1.201:636.
Ncat: 0 bytes sent, 0 bytes received in 0.02 seconds.Pull the AD server certificate and verify there is one present in the section -BEGIN CERTIFICATE- and -END CERTIFICATE
openssl s_client -host nxtsvr001dc.nxtsuplab.loc -port 636 -prexit -showcertsIf so, export it to a file named ADserver.pem
echo | openssl s_client -connect nxtsvr001dc.nxtsuplab.loc:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >ADserver.pemIf not, then please follow up with the administrator of the AD server
NOTE: if there are multiple certificates (rootCA and intermediates) presented in the first command you may need to also import these in the Java keystore. See the end of this doc on how to export them from the LDAPS server.
Verify the information in the certificate is valid.
openssl x509 -text -in ADserver.pemStop the portal:
sudo systemctl stop nxportalImport the ADserver certificate into the keystore.
NOTE: Change the alias to something else which corresponds to your environment.
sudo sh /var/nexthink/portal/security/import_certificate.sh -alias nxtsvr001dc -file /home/nexthink/ADserver.pem -storepass changeitSample output:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Nexthink Certificate import script version 08.06.rev001 ::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Owner: CN=NXTSVR001DC.nxtsuplab.loc
Issuer: CN=NXTSVR001DC.nxtsuplab.loc
Serial number: 53a0747786ba12b442f61c3580ef6383
Valid from: Tue Oct 22 11:27:29 CEST 2019 until: Thu Oct 22 02:00:00 CEST 2020
Certificate fingerprints:
MD5: 55:91:28:A7:4B:16:5D:B3:DA:C6:1D:3B:1B:1C:5F:C5
SHA1: 13:CC:9D:39:51:93:DA:CF:73:AD:F4:15:DA:3E:DD:7E:70:53:97:23
SHA256: 3D:2F:B1:05:B5:47:68:16:AE:50:0A:95:7A:B7:30:17:23:B0:9B:4E:13:1A:5C:CC:C9:15:F2:CB:5B:FF:D9:BE
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#2: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_Encipherment
Data_Encipherment
]
Trust this certificate? [no]: yes
Certificate was added to keystoreStart the portal:
sudo systemctl start nxportalGo back to the portal’s webconsole and test your connection on port 636
To export all the certificates from the LDAPS service, the following example can be used:
Get the chain up to 5 levels.
Note: Replace YOURLDAPS_SERVER for the FQDN of your LDAPS server
openssl s_client -showcerts -verify 5 -connect YOURLDAPS_SERVER:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'Rename to their CN Field name:
for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; doneThis should get all certificates and convert them for import later in the Java keystore.